Workshop Exercise 3.2 - Installation and Configuration of FDO

Table of Contents

• Objective
• Step 1 - Installing FDO AIO
• Step 2 - Reviewing the Configuration Files
• Step 3 - Starting Up FDO

Objective

In this exercise, we’ll investigate how to install FDO and configure it. We’ll be using the “all-in-one” installation method to simplify the setup.

Note

The information below is provided as a reference only, and does not need to be run during the workshop. Your instructor has already set up FDO to speed up the flow of the workshop.

Step 1 - Installing FDO AIO

FDO is provided via RPMs, and can be installed with dnf:

sudo dnf -y install fdo-aio

Once finished, the various FDO components and utilities will be available on the system.

Step 2 - Reviewing the Configuration Files

After installing FDO, the fdo-admin-tool can be used to generate base configuration files and keys needed:

fdo-admin-tool aio --directory /etc/fdo/aio --binary-path /usr/libexec/fdo generate-configs-and-keys

Once the command completes, everything will be available under /etc/fdo/aio.

The two main configuration files we’ll review today are the aio_configuration and the serviceinfo_api_server.yml.

First, aio_configuration defines the overall configuration of the AIO installation:

---
cert_organization: FDO AIO
cert_country: US
listen_ip_address: 0.0.0.0
listen_port_manufacturing_server: 8080
listen_port_owner_onboarding_server: 8081
listen_port_rendezvous_server: 8082
listen_port_serviceinfo_api_server: 8083
separate_manufacturing_and_owner_voucher_store: false
manufacturing_enable_plain_di: false
manufacturing_disable_key_storage_filesystem: false
manufacturing_disable_key_storage_tpm: false
manufacturing_use_secp256r1: false
contact_hostname: ~
contact_addresses:
  - IpAddr: 10.15.108.176
  - IpAddr: "2620:52:0:f6c:250:56ff:fe9b:c712"
  - IpAddr: "fe80::250:56ff:fe9b:c712"
serviceinfo_api_auth_token: S7RLRqSQeAi2c6qJItyHsnq+9no968D7k6tReMbWI2E=
serviceinfo_api_admin_token: sYYWHXSCC5hiE9fpo7/oMA+2EBuP7+LoLWfoU7JkI+4=

These are the defaults generated by the command above. Notice the certification information, listening ports, and addresses used to contact the various services, as well as auth and admin tokens.

Next, the serviceinfo_api_server.yml:

---
service_info:
  initial_user:
    username: fdo-init
    sshkeys:
      - 'example-key-here'
  files:
  - path: /root/resolv.conf
    source_path: /etc/resolv.conf
  commands: ~
  diskencryption_clevis:
  - disk_label: /dev/sda4
    binding:
      pin: tpm2
      config: "{}"
    reencrypt: true
  additional_serviceinfo: ~
bind: "0.0.0.0:8083"
service_info_auth_token: S7RLRqSQeAi2c6qJItyHsnq+9no968D7k6tReMbWI2E=
admin_auth_token: sYYWHXSCC5hiE9fpo7/oMA+2EBuP7+LoLWfoU7JkI+4=
device_specific_store_driver:
  Directory:
    path: /etc/fdo/aio/stores/serviceinfo_api_devices

This configuration file defines the steps taken after the device has reached out to the onboarding server. The main components are:

• diskencryption_clevis: Encryption of specific disks or partitions. Here, I’m using the TPM of the device to decrypt the disk.
• initial_user: The user to create during the automated setup.
• files: What files to copy during the automated setup.
• commands: What commands to run as part of the automated setup.

These configuration files ultimately define the onboarding process handled by FDO.

Step 3 - Starting Up FDO

Once our configurations are complete, FDO can be started via systemd:

systemctl enable --now fdo-aio

In addition, remember to allow FDO traffic through the firewall:

firewall-cmd --add-port=8080-8083/tcp --permanent
firewall-cmd --reload

Once complete, FDO will be ready to onboard our devices.

---

Navigation

Previous Exercise

Next Exercise

Click here to return to the Workshop Homepage